Apple: Airport fixes issues found via internal audit, not from SecureWorks

“Apple on Thursday released a Security and AirPort update for Mac OS X that fixes vulnerabilities found in the company’s wireless drivers. Apple said the issues found were the result of an internal audit of the software drivers and that no known exploits exist for the issues addressed in this update,” Jim Dalrymple reports for Macworld.

“The internal audit came as a result of claims by a senior researcher at SecureWorks that said he had revealed a vulnerability in Apple’s MacBook wireless software driver that would allow him to take control of the machine. SecureWorks later clarified its position and said it had used a third-party driver and not Apple’s driver,” Dalrymple reports.

Dalrymple reports, “Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way. ‘They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit,’ Apple spokesman, Anuj Nayar, told Macworld. ‘Today’s update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac.'”

More in the full article here.

Related articles:
Apple releases AirPort Update 2006-001 and Security Update 2006-005 – September 21, 2006
SecureWorks admits falsifying Apple MacBook ‘60-second wireless hijacking?’ – August 18, 2006
Re: Brian Krebs’ reporting on supposed MacBook Wi-Fi exploit – August 04, 2006
Hijacking an Apple Macbook in 60 seconds video posted online – August 03, 2006
Hijacking an Apple Macbook in 60 seconds – August 02, 2006

29 Comments

  1. This SecureWorks situation is a classic case of misinformation. (command control d + mouse over “misinformation” for a explaination)

    The fact is Apple DID issue a security update that DOES FIX wireless exploit(s) in Apple hardware/software.

    What do you think a “black hat” is anyway? I’m glad they wanted to piss us off or nobody would have ever known about a serious exploit.

    Has anyone here worked for Apple security channels? Then you’ll know they want YOU to find the bugs.

    Apple is notoriously lazy when it comes to checking their code.

    For instance the launchd exploit, a malformed line of code that left all 10.4-10.4.6 Mac’s completely vunerable. Could have been easily caught if code checking software was used before release.

    Here again is a update for wireless software, because APPLE DID A INTERNAL AUDIT.

    Now why didn’t Apple do this BEFORE RELEASING THE CODE?

    I remmember contacting Apple about the URL handler exploits of 10.3, they just ignored my phone calls and emails to their security channels.

    Finally when the exploit made the press did Apple act, just like in this case.

    SecureWorks did the right thing, they forced Apple to do their own work..

    Kudo’s to SecureWorks and thanks for pissing us off and bringing attention to Apple’s lazy security behavior.

  2. Oh yeah, l33th@xx0rz, I guess next time, every Black Hat attendee can film themselves “cracking” a Mac and then say, “Look! We found a security vulnerability is OS X!”

    Then a hundred of them can sit around and simple wait for Apple to release a patch for some unrelated issue, and then say, “Oh yeah! Party! We forced Apple to do their jobs by making them aware of security issues in OS X!”

    Yeah, right.

    l33th@xx0rz’s logic is as ridiculous as his handle. A lot of characters, saying nothing.

  3. 133th@xx0rz,

    Give us a list of Mac OS X exploits.

    Not a list of patched vulnerabilities but a list of exploits.

    Not a list of exploits that were publicized by AV software company reps after the patch was released by Apple but a list of Mac OS X exploits that could bring down my computer as I type this.

    Hint, there are none.

  4. By the way, here’s a simple explanation that solves the problem of security researchers refusing to share the details of their “research.”

    Basically, SecureWorks found indications that there might be a way to hack the wireless protocols. However, they were unable to nail it down in time for the Black Hat conference.

    Still, being cock-sure hackers, they felt it would simple be a matter of time. So they rigged a demo to show how the hack was supposed to work even though they hadn’t figured out exactly how to get it working for real. After all, once they figured it out, it would be the same thing as what the simulation showed, right?

    Unfortunately, the guys at SecureWorks fell into their own trap. It turned out they were not smart enough to actually come up with the exploit, which explains their absolute refusual to show the details of their exploit to anyone. So they spend the last month doing everything but show the exploit, whether to Apple, 3rd party developers, or other bona fide security researchers.

    During this time, Apple finds other vulnerabilities and patches them. The SecureWorks guys are still flailing around trying to get their original exploit to work.

    Chances are, with Apple now having done a thorough internal audit, the chances that the original exploit was real just goes down. SecureWorks will put out a lame statement saying, “This is exactly what we intended, to force Apple to fix vulnerabilities in OS X,” which is the logical equivalnet of saying, “We predict a burglary will occur sometime in the future in this country. The government should be doing its job to prevent such burglaries instead of sitting on their asses. You heard it from us, heroes all, for forcing the government to do its job in preventing burglaries.”

    Just goes to show you, there is no limit on idiocy these days.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.